Using a User Based Filter to Push Policies to Mobile Devices

Machine Translations

We had a need in our organisation to be able to push out mobile policies simply based on the username. This article describes a method to create a filter which looks up the users of another filter, then determines what mobile device they use and populates those devices.

The below steps will create a filter which get the user resources from a second filter, then determines what mobile devices those users are owners of. The instructions assume you've already created a filter with the user resources you need (In this example, the user filter is called "MobileTestFilter".

Creating the Filter (Filter is attached):

1) Create a new filter, set the Query Mode to Query Builder and set the base query to Mobile.

2) In the Query tab, click on the Use Resource Type Associations link and select Asset User Owners to User

3) Then create an Inner Join to CollectionMembership, using User.Guid in the left field and ResourceGuid on the right.

4) Create another Inner Join to vCollection, using CollectionMembership.CollectionGuid in the left field and Guid on the right.

5) Click on the Filter Expressions tab and change the base query to Equals (switch to Advanced mode if it isn't already).

6) Under Filter Expression Operands, change the Integer setting next to {0}: to Field and select vCollection.name

7) Change the Integer setting next to {1}: to Text and type the name of the filter containing your user list (in this example, the filter name is MobileTestFilter.

9) Click on Save Changes and then click Update Membership on the filter. You should see the Mobile resource types owned by the users listed in the first filter. From there you just need to apply this filter to your mobile management policy. Your servicedesk staff (or self-service workflows) just need to update the first filter with the user resources, and the filter we just created does the rest.

This provides an easy way to add users for a mobile related payload (such as EAS or an RSS feed for a software push) without needing to know what their mobile device is called (or if they get a new device). It also eliminates an issue where when you update a mobile policy at all (including the target membership), the policy gets pushed out to all devices again.

This example could be used in tandem with an AD import or CMDB rule to import AD users to a filter if you prefer to do your mobile management groups through ADUC.

You can also use this same methodology for a computer filter to apply policy content that isn't available to apply per user, such as eiPower settings, etc.

We just finished getting MDM 7.2 up and running and your articles (this one and the MDM Device Ownership) seem like a great idea.

I am a bit new to the Filters aspect. You mention in this article that one requirement is to create a resource filter with the user resources required. Is there anyway you could give me an example of one?

Sure. There are quite a few ways you can populate filters. There's static filters where you use the "Explicit Inclusions and Exclusions" area to manually add resources (in this case, users), or you can use the Query mode to create some dynamic filter which populates based on a criteria (E.G. users in a particular OU).

For the above example, you could just use a static filter, but there's really a lot of ways to go, you could even import some users from an AD group into a filter.

I just did a quick search and the below vid might be a good place to start on creating dynamic filters.